November 25, 2025
12 min read

Junior Cloud Engineer AWS Interview Questions: Complete Guide

interview
career-advice
job-search
entry-level
Junior Cloud Engineer AWS Interview Questions: Complete Guide
MB

Milad Bonakdar

Author

Master essential AWS fundamentals with comprehensive interview questions covering EC2, S3, VPC, IAM, and core cloud concepts for junior cloud engineer roles.

Introduction

AWS (Amazon Web Services) is the leading cloud platform, offering over 200 services for compute, storage, networking, and more. As a junior cloud engineer, you'll need foundational knowledge of core AWS services and cloud concepts to build and manage cloud infrastructure.

This guide covers essential interview questions for junior AWS cloud engineers, focusing on EC2, S3, VPC, IAM, and fundamental cloud concepts.

AWS EC2 (Elastic Compute Cloud)

1. What is AWS EC2 and what are its main benefits?

Answer: EC2 (Elastic Compute Cloud) provides resizable virtual servers in the cloud.

Key Benefits:

  • Elasticity: Scale up/down based on demand
  • Pay-as-you-go: Only pay for what you use
  • Variety: Multiple instance types for different workloads
  • Global: Deploy in multiple regions worldwide
  • Integration: Works seamlessly with other AWS services

Common Use Cases:

  • Web hosting
  • Application servers
  • Development/test environments
  • Batch processing
  • High-performance computing

Rarity: Very Common
Difficulty: Easy

2. Explain the difference between stopping and terminating an EC2 instance.

Answer:

Stopping an Instance:

  • Instance is shut down but not deleted
  • EBS root volume persists
  • You're charged for EBS storage
  • Can restart later with same configuration
  • Elastic IP remains associated
  • Instance ID stays the same

Terminating an Instance:

  • Instance is permanently deleted
  • EBS root volume deleted (unless configured otherwise)
  • No charges after termination
  • Cannot restart
  • Elastic IP is disassociated
  • Instance ID cannot be reused
# AWS CLI examples

# Stop an instance
aws ec2 stop-instances --instance-ids i-1234567890abcdef0

# Start a stopped instance
aws ec2 start-instances --instance-ids i-1234567890abcdef0

# Terminate an instance
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

Rarity: Very Common
Difficulty: Easy

AWS S3 (Simple Storage Service)

3. What is Amazon S3 and what are the different storage classes?

Answer: S3 is object storage for storing and retrieving any amount of data from anywhere.

Storage Classes:

ClassUse CaseAvailabilityCost
S3 StandardFrequently accessed data99.99%Highest
S3 Intelligent-TieringUnknown/changing access patterns99.9%Auto-optimized
S3 Standard-IAInfrequently accessed99.9%Lower
S3 One Zone-IAInfrequent, non-critical99.5%Lowest IA
S3 Glacier InstantArchive, instant retrieval99.9%Very low
S3 Glacier FlexibleArchive, minutes-hours retrieval99.99%Very low
S3 Glacier Deep ArchiveLong-term archive, 12hr retrieval99.99%Lowest
# Create S3 bucket
aws s3 mb s3://my-bucket-name

# Upload file
aws s3 cp myfile.txt s3://my-bucket-name/

# List objects
aws s3 ls s3://my-bucket-name/

# Download file
aws s3 cp s3://my-bucket-name/myfile.txt ./

Rarity: Very Common
Difficulty: Easy-Medium

AWS VPC (Virtual Private Cloud)

4. What is AWS VPC and what are its key components?

Answer: VPC is a logically isolated virtual network where you launch AWS resources.

Key Components:

Loading diagram...

Components:

  1. Subnets: Segments of VPC IP range

    • Public: Has route to Internet Gateway
    • Private: No direct internet access

  2. Internet Gateway: Enables internet access

  3. NAT Gateway: Allows private subnet internet access (outbound only)

  4. Route Tables: Control traffic routing

  5. Security Groups: Instance-level firewall (stateful)

  6. Network ACLs: Subnet-level firewall (stateless)

Rarity: Very Common
Difficulty: Medium

5. What's the difference between Security Groups and Network ACLs?

Answer:

FeatureSecurity GroupNetwork ACL
LevelInstanceSubnet
StateStatefulStateless
RulesAllow onlyAllow and Deny
Return TrafficAutomaticMust be explicitly allowed
ApplicationSelective (per instance)All instances in subnet
Rule EvaluationAll rulesRules in order

Example:

# Create security group
aws ec2 create-security-group \
  --group-name web-sg \
  --description "Web server security group" \
  --vpc-id vpc-1234567890abcdef0

# Add inbound rule (allow HTTP)
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

# Add inbound rule (allow SSH from specific IP)
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp \
  --port 22 \
  --cidr 203.0.113.0/24

Rarity: Very Common
Difficulty: Medium

AWS IAM (Identity and Access Management)

6. Explain IAM users, groups, and roles.

Answer: IAM controls access to AWS resources.

IAM Users:

  • Individual identity with credentials
  • Long-term credentials (password, access keys)
  • Use for people or applications

IAM Groups:

  • Collection of users
  • Attach policies to groups
  • Users inherit group permissions

IAM Roles:

  • Temporary credentials
  • Assumed by users, applications, or services
  • No long-term credentials
  • Use for EC2 instances, Lambda functions, cross-account access
// Example IAM Policy (S3 read-only)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Best Practices:

  • Use roles for EC2 instances (not access keys)
  • Follow least privilege principle
  • Enable MFA for privileged users
  • Rotate credentials regularly
  • Use groups for permission management

Rarity: Very Common
Difficulty: Medium

AWS Core Concepts

7. What are AWS Regions and Availability Zones?

Answer:

AWS Region:

  • Geographic location (e.g., us-east-1, eu-west-1)
  • Contains multiple Availability Zones
  • Isolated from other regions
  • Choose based on: latency, compliance, cost

Availability Zone (AZ):

  • One or more data centers within a region
  • Isolated from failures in other AZs
  • Connected with low-latency networking
  • Deploy across multiple AZs for high availability
Loading diagram...

High Availability Example:

# Launch instances in multiple AZs
aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t2.micro \
  --subnet-id subnet-1a \
  --count 1

aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t2.micro \
  --subnet-id subnet-1b \
  --count 1

Rarity: Very Common
Difficulty: Easy

8. What is an AMI (Amazon Machine Image)?

Answer: AMI is a template for creating EC2 instances.

Contains:

  • Operating system
  • Application server
  • Applications
  • Configuration settings

Types:

  • AWS-provided: Amazon Linux, Ubuntu, Windows
  • Marketplace: Third-party AMIs
  • Custom: Your own AMIs

Creating Custom AMI:

# Create AMI from running instance
aws ec2 create-image \
  --instance-id i-1234567890abcdef0 \
  --name "My-Web-Server-AMI" \
  --description "Web server with Apache configured"

# Launch instance from AMI
aws ec2 run-instances \
  --image-id ami-0abcdef1234567890 \
  --instance-type t2.micro \
  --key-name my-key-pair

Use Cases:

  • Standardized deployments
  • Backup and recovery
  • Auto Scaling
  • Multi-region deployment

Rarity: Common
Difficulty: Easy-Medium

AWS Storage

9. What is EBS and what are the different volume types?

Answer: EBS (Elastic Block Store) provides persistent block storage for EC2 instances.

Volume Types:

TypeUse CasePerformanceCost
gp3 (General Purpose SSD)Most workloads3,000-16,000 IOPSLowest SSD
gp2 (General Purpose SSD)Legacy, general useUp to 16,000 IOPSLow
io2/io1 (Provisioned IOPS)Databases, critical appsUp to 64,000 IOPSHighest
st1 (Throughput Optimized HDD)Big data, data warehousesHigh throughputLow
sc1 (Cold HDD)Infrequent accessLowest costLowest

Creating and Attaching EBS:

# Create EBS volume
aws ec2 create-volume \
  --availability-zone us-east-1a \
  --size 100 \
  --volume-type gp3 \
  --iops 3000 \
  --throughput 125

# Attach to instance
aws ec2 attach-volume \
  --volume-id vol-1234567890abcdef0 \
  --instance-id i-1234567890abcdef0 \
  --device /dev/sdf

# Format and mount (on the instance)
sudo mkfs -t ext4 /dev/sdf
sudo mkdir /data
sudo mount /dev/sdf /data

# Make permanent (add to /etc/fstab)
echo "/dev/sdf /data ext4 defaults,nofail 0 2" | sudo tee -a /etc/fstab

EBS Snapshots:

# Create snapshot
aws ec2 create-snapshot \
  --volume-id vol-1234567890abcdef0 \
  --description "Backup before upgrade"

# Restore from snapshot
aws ec2 create-volume \
  --snapshot-id snap-1234567890abcdef0 \
  --availability-zone us-east-1a \
  --volume-type gp3

# Copy snapshot to another region
aws ec2 copy-snapshot \
  --source-region us-east-1 \
  --source-snapshot-id snap-1234567890abcdef0 \
  --destination-region us-west-2

Key Features:

  • Persistent: Data survives instance termination
  • Snapshots: Point-in-time backups to S3
  • Encryption: At-rest and in-transit
  • Resizable: Increase size without downtime
  • Multi-attach: io2 volumes can attach to multiple instances

Best Practices:

  • Use gp3 for most workloads (better price/performance)
  • Enable encryption by default
  • Regular snapshots for backups
  • Delete unused volumes to save costs

Rarity: Very Common
Difficulty: Easy-Medium

10. Explain S3 bucket policies and how they differ from IAM policies.

Answer: Both control access to S3, but they work differently:

IAM Policies:

  • Attached to users, groups, or roles
  • Control what identities can do
  • Managed centrally in IAM

S3 Bucket Policies:

  • Attached to S3 buckets
  • Control access to specific buckets
  • Can grant cross-account access
  • Can restrict by IP address

Example IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Example S3 Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-bucket/*"
    },
    {
      "Sid": "RestrictByIP",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Apply Bucket Policy:

# Create policy file (policy.json)
# Then apply it
aws s3api put-bucket-policy \
  --bucket my-bucket \
  --policy file://policy.json

# View current policy
aws s3api get-bucket-policy \
  --bucket my-bucket

# Delete policy
aws s3api delete-bucket-policy \
  --bucket my-bucket

Common Use Cases:

1. Public Website Hosting:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-website/*"
    }
  ]
}

2. Cross-Account Access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::shared-bucket",
        "arn:aws:s3:::shared-bucket/*"
      ]
    }
  ]
}

3. Enforce Encryption:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

When to Use:

  • IAM Policy: Control what your users/applications can do
  • Bucket Policy: Control who can access your bucket (including external accounts)

Rarity: Very Common
Difficulty: Medium

Monitoring & Management

11. What is CloudWatch and how do you use it for monitoring?

Answer: CloudWatch is AWS's monitoring and observability service.

Key Components:

1. Metrics:

  • Numerical data points over time
  • EC2: CPU, Network, Disk
  • RDS: Connections, IOPS
  • Custom metrics: Application-specific
# View EC2 CPU metrics
aws cloudwatch get-metric-statistics \
  --namespace AWS/EC2 \
  --metric-name CPUUtilization \
  --dimensions Name=InstanceId,Value=i-1234567890abcdef0 \
  --start-time 2024-11-25T00:00:00Z \
  --end-time 2024-11-25T23:59:59Z \
  --period 3600 \
  --statistics Average,Maximum

# Publish custom metric
aws cloudwatch put-metric-data \
  --namespace MyApp \
  --metric-name PageLoadTime \
  --value 0.5 \
  --unit Seconds

2. Alarms:

# Create alarm for high CPU
aws cloudwatch put-metric-alarm \
  --alarm-name high-cpu-alarm \
  --alarm-description "Alert when CPU exceeds 80%" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 \
  --threshold 80 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --dimensions Name=InstanceId,Value=i-1234567890abcdef0 \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:my-topic

3. Logs:

# Create log group
aws logs create-log-group \
  --log-group-name /aws/application/myapp

# Create log stream
aws logs create-log-stream \
  --log-group-name /aws/application/myapp \
  --log-stream-name instance-1

# Put log events
aws logs put-log-events \
  --log-group-name /aws/application/myapp \
  --log-stream-name instance-1 \
  --log-events \
    timestamp=1234567890000,message="Application started" \
    timestamp=1234567891000,message="Processing request"

# Query logs
aws logs filter-log-events \
  --log-group-name /aws/application/myapp \
  --filter-pattern "ERROR" \
  --start-time 1234567890000

4. Dashboards:

# Create dashboard with boto3
import boto3
import json

cloudwatch = boto3.client('cloudwatch')

dashboard_body = {
    "widgets": [
        {
            "type": "metric",
            "properties": {
                "metrics": [
                    ["AWS/EC2", "CPUUtilization", {"stat": "Average"}]
                ],
                "period": 300,
                "stat": "Average",
                "region": "us-east-1",
                "title": "EC2 CPU Utilization"
            }
        },
        {
            "type": "metric",
            "properties": {
                "metrics": [
                    ["AWS/RDS", "DatabaseConnections"]
                ],
                "period": 300,
                "stat": "Sum",
                "region": "us-east-1",
                "title": "RDS Connections"
            }
        }
    ]
}

cloudwatch.put_dashboard(
    DashboardName='MyAppDashboard',
    DashboardBody=json.dumps(dashboard_body)
)

Common Monitoring Scenarios:

Monitor EC2 Instance:

# CPU, Network, Disk metrics are automatic
# For memory, need CloudWatch agent

# Install CloudWatch agent
wget https://s3.amazonaws.com/amazoncloudwatch-agent/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm
sudo rpm -U ./amazon-cloudwatch-agent.rpm

# Configure agent (creates config file)
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

# Start agent
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
  -a fetch-config \
  -m ec2 \
  -s \
  -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json

Monitor Application Logs:

# Python application with CloudWatch logging
import boto3
import logging
from datetime import datetime

class CloudWatchHandler(logging.Handler):
    def __init__(self, log_group, log_stream):
        super().__init__()
        self.client = boto3.client('logs')
        self.log_group = log_group
        self.log_stream = log_stream
        
    def emit(self, record):
        log_entry = self.format(record)
        self.client.put_log_events(
            logGroupName=self.log_group,
            logStreamName=self.log_stream,
            logEvents=[{
                'timestamp': int(datetime.now().timestamp() * 1000),
                'message': log_entry
            }]
        )

# Usage
logger = logging.getLogger()
logger.addHandler(CloudWatchHandler('/aws/myapp', 'instance-1'))
logger.info("Application started")

Best Practices:

  • Set up alarms for critical metrics
  • Use log groups to organize logs
  • Create dashboards for quick overview
  • Set retention policies to control costs
  • Use metric filters for log analysis

Rarity: Very Common
Difficulty: Medium

Conclusion

Preparing for a junior AWS cloud engineer interview requires understanding core services and cloud concepts. Focus on:

  1. EC2: Instance types, lifecycle, security
  2. S3: Storage classes, bucket policies, versioning
  3. VPC: Networking, subnets, security groups
  4. IAM: Users, roles, policies, least privilege
  5. Core Concepts: Regions, AZs, AMIs

Practice using the AWS Console and CLI to gain hands-on experience. Good luck!

Newsletter subscription

Weekly career tips that actually work

Get the latest insights delivered straight to your inbox

Related Posts

Senior Cloud Engineer AWS Interview Questions: Complete Guide
Nov 25, 2025
13 min read

Senior Cloud Engineer AWS Interview Questions: Complete Guide

Master advanced AWS concepts with comprehensive interview questions covering architecture design, auto scaling, advanced networking, cost optimization, and security for senior cloud engineer roles.

MBMilad Bonakdar
Junior DevOps Engineer Interview Questions: Complete Guide
Nov 25, 2025
19 min read

Junior DevOps Engineer Interview Questions: Complete Guide

Master essential DevOps fundamentals with comprehensive interview questions covering Linux, Git, CI/CD, Docker, cloud basics, and Infrastructure as Code for junior DevOps engineers.

MBMilad Bonakdar
Junior Cloud Engineer Azure Interview Questions: Complete Guide
Nov 25, 2025
11 min read

Junior Cloud Engineer Azure Interview Questions: Complete Guide

Master essential Azure fundamentals with comprehensive interview questions covering Virtual Machines, Storage, Virtual Networks, RBAC, and core cloud concepts for junior cloud engineer roles.

MBMilad Bonakdar
Decorative doodle

Your Next Interview is Just One Resume Away

Create a professional, optimized resume in minutes. No design skills needed—just proven results.

Create my resume

Share this post

Make Your 6 Seconds Count

Recruiters scan resumes for an average of only 6 to 7 seconds. Our proven templates are designed to capture attention instantly and keep them reading.

Create a Standout Resume